Considerations on the refresh token

Hey guys, I find myself implementing the refresh token for a project.

I was wondering on how to use it properly.

My idea would be to use a service between my frontend and auth0, pass the login details from frontend to backend and then backend forwards this details to auth0. Then when the response comes back, extract the refresh token and sent it back as a httpOnly cookie to the frontend so when user refreshes the browser’s tab, I can call the oauth/token and issue a new JWT if it proceeds by calling the backend, then backend captures that cookie and uses it.

I wonder if there is a way to make auth0 to set the cookie for me so I don’t need to use a service in the middle. Something that res.setCookie(‘rf’, refreshTokenValue) and then for any successive calls to oath/token expect this cookie in the request, parse it and re issuing the appropriate JWT

Hey alexxxmf

I cannot recommend storing the refresh token in the browser like that.

Can you explain more what you are trying to achieve?

I don’t understand “pass the login details from frontend to backend”. Do you mean username and password? If so, I cannot recommend this. Instead you should use a redirect flow, probably Auth Code:

Doing this flow will establish a session (including a cookie) that handles the user’s authentication.

I think this may achieve what you want without using a refresh token


1 Like

Hey John, thanks for the reply. Sorry for not being totally clear in my explanation.

I was referring to something like this:

  1. The user logs in with a login API call.
  2. Server generates JWT Token and refresh_token
  3. Server sets a HttpOnly cookie with refresh_token . jwt_token and jwt_token_expiry are returned back to the client as a JSON payload.
  4. The jwt_token is stored in memory.
  5. A countdown to a future silent refresh is started based on jwt_token_expiry

Seems to me like if I want to keep auth0 to handle the jwt creation, I need to put some Backend between auth0 and the Frontend for cookie generation on the server

Here is the article for a reference:
Silent refresh > So what does the new "login" process look like?

Quick Question: what type of application are you developing? Is this a Javascript app with no dedicated backend? A Javascript app with a BFF or dedicated backend? Or a classic webapp with a mostly HTML front end and a backend?

The reason I ask: the blog is focused on JWTs and not on appropriate flows (and thus how they handle sessions). At the top, where it says “Basics: Login”, this is NOT usually the right way to login.

The article is focused on JWTs, but you should be looking at the entire flow.

Let’s start with what kind of app, then I can point you to the proper flow - it will be Auth Code or Auth Code + PKCE or Implicit.


I stumbled upon this chat whilst I was searching online for materials on implementing Refresh Token with Auth0, GraphQL and Gatsby

Background… I have successfully implemented a web app with authentication using the following stack…

Frontend: Gatsby + Auth0 + Apollo
Backend: Apollo Server 2.0 + Auth0 + Node + Mongoose

I am able to have public routes as well as authenticated routes

Everything is working fine except when the token stored in my browser expires. Thereupon, my app will fail

I like to go one step further to implement refresh token for my web app. I cannot find any relevant material online which I can refer to (unlike implementing authentication and authorization) so that I can implement refresh token in my web app. Any guidance as to how I can proceed from here? Thanks